Bot Targets Routers, Embedded IoT Devices

Tuesday, April 5, 2016 @ 04:04 PM gHale

There is new malware targeting embedded systems to make them part of a botnet, researchers said.

Called “Remaiten” (Linux/ Remaiten), the malware combines the capabilities of other malware versions like Tsunami (also known as Kaiten) and Gafgyt, and also brings a series of improvements and new features, said researchers at ESET.

Three versions of Remaiten have already emerged, while the malware authors call their creation “KTN-Remastered” or “KTN-RM,” ESET researchers said.

One of the capabilities Remaiten borrows from Gafgyt is telnet scanning, though Remaiten enjoys a series of improvements, ESET’s Michal Malik said in a blog post. Both do rely on improperly secured devices for a positive infection.

Gafgyt attempts to connect to random routers via port 23, which it then issues a shell command to download bot executables for multiple architectures and tries to run them. Remaiten, on the other hand, carries downloaders for CPU architectures commonly used in embedded Linux devices, then tries to trigger the device’s platform to drop only the appropriate downloader.

When executed, the bot runs in the background and changes its process name to look legitimate, with two versions using “-bash” for that (namely Remaiten 2.0 and 2.1), and the third (version 2.2) using “-sh.” Next, using the create_daemon function, the bot creates a file named “.kpid” in one of the predefined daemon directories and writes its PID to a file.

The bot binaries include a hardcoded list of C&C server IP addresses, and the malware chooses one at random and connects to it on a hardcoded port (the port is different from one variant to another).

Upon successful connection to the C&C server, the bot checks-in on the IRC channel, and the server replies with a welcome message and further instructions.

There are various IRC commands the bot supports, one of which is “PRIVMSG,” used to instruct the bot to perform nefarious operations such as flooding, downloading files, and telnet scanning. According to ESET researchers, most of these capabilities come from the Linux/Tsunami malware, while the rest ended up borrowed from Linux/Gafgyt.

The bot sends to the C&C server information such as device’s IP address, the successful username and password pair, and whether it infected the other device or not. The malware also supports a “KILLBOTS” command, which allows it to enumerate running processes and kill some of them based on a few criteria, mainly because of their names.

Researchers also discovered that Remaiten version 2.2 includes a wget/tftp command to download a shell script that downloads the bot binaries, including files that target platforms such as PowerPC and SuperH. This shows attacker are ready for any situation, as they went to the trouble of compiling their malware for these architectures.